Learning To Listen For Learning

Can you hear me? Are you listening to me? Those two statements are used frequently to see if someone is paying attention to what you’re saying. Their connotation is very different though. One asks a question about whether you can tell if there are words coming out of someone’s mouth. Is the language something you can process? The other question is all about understanding.

Taking Turns Speaking

“Seek first to understand,then to be understood.” – Stephen Covey

Listening is hard. Like super hard. How often do you find yourself on a conference call with your mind wandering to other things you need to take care of? How many times have we seen someone shopping online for shoes or camping gear instead of taking notes on the call they should be paying attention to? They answer is more often than we should.

Attention spans are hard for everyone, whether you’re affected by attention disorders or have normal brain chemistry. Our minds hate being bored. They’re always looking for a way to escape to something more exciting and stimulating. You know you can feel it when there’s a topic that seriously interests you and pulls you in versus the same old Continue reading

Unwrap the SERVFAIL

Unwrap the SERVFAIL

We recently released a new version of Cloudflare Resolver which adds a piece of information called “Extended DNS Errors” (EDE) along with the response code under certain circumstances. This will be helpful in tracing DNS resolution errors and figuring out what went wrong behind the scenes.

Unwrap the SERVFAIL
(image from: https://www.pxfuel.com/en/free-photo-expka)

A tight-lipped agent

The DNS protocol was designed to map domain names to IP addresses. To inform the client about the result of the lookup, the protocol has a 4 bit field, called response code/RCODE. The logic to serve a response might look something like this:

function lookup(domain) {
    ...
    switch result {
    case "No error condition":
        return NOERROR with client expected answer
    case "No record for the request type":
        return NOERROR
    case "The request domain does not exist":
        return NXDOMAIN
    case "Refuse to perform the specified operation for policy reasons":
        return REFUSE
    default("Server failure: unable to process this query due to a problem with the name server"):
        return SERVFAIL
    }
}

try {
    lookup(domain)
} catch {
    return SERVFAIL
}

Although the context hasn't changed much, protocol extensions such as DNSSEC have been added, which makes the RCODE run out of space to express the server's internal Continue reading

Using the Midnight Commander to browse Linux directories

Midnight Commander – the "mc" command – provides an easy way to browse directories and to view, move, delete, compare, change and edit files. Similar in some ways to ranger, mc makes it easy to move around directories and offers side-by-side file/directory listings that work independently of each other. In addition, it provides a very wide range of actions that you can take through simple menu choices.To start Midnight Commander, simply type "mc" in a terminal window. When you open mc, both the left and right sides of the display will look the same and will show the contents of whatever directory you started in. You can switch sides using the tab key or simply by clicking on a directory or file in the side of the display. You can select a file or directory simply by clicking on it. You can also browse directory contents using the up and down arrow keys.To read this article in full, please click here

Who’s selling SASE and what do you get?

Demand for secure access service edge (SASE) has grown tremendously during the pandemic. As adoption picks up, vendors are promising feature-rich and integrated SASE solutions. Customers have different needs when it comes to SASE, however, and it’s not always easy to understand what a SASE provider is offering.As an approach, SASE combines networking and security into a scalable cloud service that fits with the remote and hybrid work models companies use today. Potential benefits include easier network and security management, flexibility to scale up or down as business needs require, and lower costs.To read this article in full, please click here

Who’s selling SASE and what do you get?

Demand for secure access service edge (SASE) has grown tremendously during the pandemic. As adoption picks up, vendors are promising feature-rich and integrated SASE solutions. Customers have different needs when it comes to SASE, however, and it’s not always easy to understand what a SASE provider is offering.As an approach, SASE combines networking and security into a scalable cloud service that fits with the remote and hybrid work models companies use today. Potential benefits include easier network and security management, flexibility to scale up or down as business needs require, and lower costs.To read this article in full, please click here

Introducing Data-in-Transit Encryption for Calico Enterprise

We’re excited to announce that Calico Enterprise, the leading solution for Kubernetes networking, security and observability in hybrid and multi-cloud environments, now includes encryption for data-in-transit.

Calico Enterprise is known for its rich set of network security implementations to protect container workloads by restricting traffic to and from trusted sources. These include, but are not limited to, implementing existing enterprise security controls in Kubernetes, managing egress access using DNS policy, extending firewalls to Kubernetes, and intrusion detection and threat defense. As the Kubernetes footprint expands, however, we’ve seen demand for an even greater in-depth approach to protecting sensitive data that falls under regulatory compliance mandates.

Not all threats originate from outside an organization. According to Gartner, nearly 75% of breaches happen due to insider behavior, from people within the organization such as employees, former employees, contractors or business associates, who have inside information concerning the organization’s security practices, data and computer systems. This level of exposure is unacceptable for organizations that have strict data protection and regulatory compliance requirements. No matter where a threat originates, encrypted data is unreadable to anyone except the legitimate keyholder, thus protecting the data should a breach occur.

Several regulatory standards Continue reading

DDoS protection of local address space


Docker DDoS testbed describes how to use Docker Desktop to experiment with Real-time DDoS mitigation using BGP RTBH and FlowSpec. In this article, Real-time BGP route analytics are used to automatically classify address space, replacing the manually configured classification in the previous example.

Routers supporting the sFlow extended_gateway extension include BGP routing information as part of the exported telemetry stream.  Real-time DDoS mitigation using BGP RTBH and FlowSpec describes how to configure an Arista router.
sflow sample 16384
sflow polling-interval 30
sflow extension bgp
sflow destination 10.0.0.70
sflow run
Adding the highlighted command to the sFlow configuration above enables the extended_gateway extension.

The alternative if the router doesn't support the extended_gateway extension, or doesn't support sFlow at all, sFlow-RT can be configured to match up sFlow streams from switches with routes discovered via BGP from routers in order to perform the route analytics needed to automatically classify DDoS attacks. The Docker DDoS testbed has separate sFlow and BGP agents, and so requires the use of this technique.

Start a Host sFlow agent using the pre-built sflow/host-sflow image:
docker run --rm -d -e "COLLECTOR=host.docker.internal" -e "SAMPLING=10" \
--net=host -v /var/run/docker.sock:/var/run/docker.sock:ro \
--name=host-sflow sflow/host-sflow
Continue reading

Cisco fortifies and simplifies its security portfolio with eye toward cloud, zero trust

Simplifying security options for enterprise customers is a daunting task, and it can be even harder in the current pandemic-driven workforce environment. But Cisco is taking steps to both streamline and bolster its security menu, according to news out of its virtual Partner Summit conference. For starters, Cisco is eliminating 50 product names and simplifying its offerings within the renamed Cisco Secure portfolio. Cisco is also reinforcing its key platforms, including its SecureX and zero trust packages. (See related story, Cisco software upgrades to simplify hybrid-cloud management, operations)To read this article in full, please click here

Cisco fortifies and simplifies its security portfolio with eye toward cloud, zero trust

Simplifying security options for enterprise customers is a daunting task, and it can be even harder in the current pandemic-driven workforce environment. But Cisco is taking steps to both streamline and bolster its security menu, according to news out of its virtual Partner Summit conference. For starters, Cisco is eliminating 50 product names and simplifying its offerings within the renamed Cisco Secure portfolio. Cisco is also reinforcing its key platforms, including its SecureX and zero trust packages. (See related story, Cisco software upgrades to simplify hybrid-cloud management, operations)To read this article in full, please click here

Setting Up Cloud Deployments Using Docker, Azure and Github Actions

A few weeks ago I shared a blog about how to use GitHub Actions with Docker, prior to that Guillaume has also shared his blog post on using Docker and ACI. I thought I would bring these two together to look at a single flow to go from your code in GitHub all the way through to deploying on ACI using our new Docker to ACI experience!

To start, let’s remember where we were with our last Github action. Last time we got to a point where our builds to master would be re-built and pushed to Docker Hub (and we used some caching to speed these up).  

name: CI to Docker Hub
 
on:
 push:
   tags:
     - "v*.*.*"
 
jobs:
 
 build:
   runs-on: ubuntu-latest
   steps:
     -
       name: Checkout
       uses: actions/checkout@v2
     -      
       name: Set up Docker Buildx
       id: buildx
       uses: docker/setup-buildx-action@v1
     -    
       name: Cache Docker layers
       uses: actions/cache@v2
       with:
         path: /tmp/.buildx-cache
         key: ${{ runner.os }}-buildx-${{ github.sha }}
         restore-keys: |
           ${{ runner.os }}-buildx-
     -
       uses: docker/login-action@v1
       with:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
     -
       name: Build and push
       id: docker_build
       uses: docker/build-push-action@v2
       with:
         context: ./
         file: ./Dockerfile
         builder: ${{ steps.buildx.outputs.name  Continue reading

‘Credible threat’: How to protect networks from ransomware

(Editor’s note, Oct. 29, 2020: With the FBI and US Department of Homeland Security recently warning of credible cyberthreats to healthcare facilities including ransomware, it’s a good time to review the steps outlined in this article that enterprises can take to guard against such attacks.)Ransomware attacks are becoming more rampant now that criminals have learned they are an effective way to make money in a short amount of time.Attackers do not even need any programming skills to launch an attack because they can obtain code that is shared among the many hacker communities. There are even services that will collect the ransom via Bitcoin on behalf of the attackers and just require them to pay a commission.To read this article in full, please click here

‘Credible threat’: How to protect networks from ransomware

(Editor’s note, Oct. 29, 2020: With the FBI and US Department of Homeland Security recently warning of credible cyberthreats to healthcare facilities including ransomware, it’s a good time to review the steps outlined in this article that enterprises can take to guard against such attacks.)Ransomware attacks are becoming more rampant now that criminals have learned they are an effective way to make money in a short amount of time.Attackers do not even need any programming skills to launch an attack because they can obtain code that is shared among the many hacker communities. There are even services that will collect the ransom via Bitcoin on behalf of the attackers and just require them to pay a commission.To read this article in full, please click here

1 809 810 811 812 813 3,789